advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

Eschelbeck’s Laws

Gerhard Eschelbeck, CTO and VP-Engineering, Qualys has revealed the 2005 iteration of his ‘Laws of Vulnerabilities’ research.

Key highlights:

• Significant progress is being made toward improving patching cycles – primarily due to vendors pre-scheduling their patch releases
• However the time to exploit cycle is still shrinking — 85% of damage from automated attacks occurs within the first fifteen days from the outbreak.
• Two out of three, or nearly 70% of systems, are currently vulnerable and in jeopardy of potential exploit or attack.
• 50% of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis
• There’s a clear 90:10 rule. Ninety per cent of security exposures are caused by only 10% of critical vulnerabilities
• The issue of vulnerabilities in wireless devices is a myth – only one in 20,000 of the vulnerabilities studied lurk in these devices
• 85% of the damage from automated attacks is created within the first fifteen days of the outbreak – speed is of the essence
• There are significant vulnerabilities which have existed for five years that could still bring your routers or servers crashing down.

Brian McKenna spoke to GerhardEschelbeck at CSI 2005 in Washington.

You’re well known for your research on vulnerabilities. How does this kind of technical research play into what IT security managers need to do these days in terms of enterprise risk management?

Making the case for vulnerability data, you can talk all day about specific vulnerabilities, how critical they are, what needs to be done to get them fixed, and so on. But you also need to message that information into reports that will be acceptable to executive management, where you precisely don’t talk about the severity of a particular vulnerability, but where you talk instead about the risk to the organization.

The ability to adjust for that is not something you can do in a vacuum. In our case, as a supplier, we need to talk to customers. The risk management approach that we have taken with Qualys is something that came predominantly from customers.

For example?

One customer told us: “it’s great that you do all this vulnerability analysis for me, but I am missing the ability to know what my assets are. What is my configuration of those assets? What systems do I have in my network? You have all this data, but you don’t present it to me”.

That response triggered a major re-think in our way of thinking. And so, in an updated release in 2006, asset management will be there. We did some validation with six other customers – and they confirmed that what they really wanted was real time updated asset information. A lot of customers are tracking assets by simple databases, or Excel. But those are not being updated.

Eighty per cent of requirements come from customers. They tell you very precisely and honestly what they want – you just have to listen, but listen very carefully. And see the patterns.

Where is the IT security industry going?

2006 will be, in my opinion, the year of moving security enforcement into the network. There has been a lot of talk about that this year, but it is not ready for prime time yet. It’s all about infrastructures that have the ability, whenever you bring a new system on to the network to validate that system before you bring it on. Examples of this trend are Juniper’s recent acquisition of Funk Software, Cisco’s self-defending network, Microsoft’s efforts, here, Symantec with the Sygate acquisition. You can’t just keep the network on a flat basis, as it is today. So, both from an authentication but also from a health perspective, you have to do that.

We continue to patch and to patch faster, but the question is: ‘can you get ahead of it?’ Security enforcement is a clear way of how you can get ahead by an order of magnitude.

There is just a physical limit that you reach at some point in time, and you can only eliminate that by taking a major step forward in the technology.

So, all the big players are on this trail. The question is not: ‘will we get there?’ It is more ‘will it all be interoperable?’ How do you ensure that? It’s no longer about individual technologies, it’s more about the whole security fabric — with scanners talking to the routers talking to the policy servers, and so on. It is no longer just a one vendor play.

John Roese, CTO at Enterasys was talking recently about a coming explosion in the size of our networks, with the move to a machine-centric world — the IP-enabling of devices that have previously not been IP enabled. Your scanning runs against any device with an IP address. What is your take on this?

I don’t disagree, but what has to happen before that widespread proliferation of connectivity is ubiquitous wireless connectivity.

The biggest issue for all those embedded devices is the difficulty of patching them. If you think about Microsoft, they have made it really easy to patch, there is no excuse, now. But how hard will it be to patch even mobile devices? We’ll need an automated system. I don’t question the value of doing this – but vendors do have to start thinking about it now — about the maintainability of those systems.

You find a lot of bugs, and there are many other security researchers who do that. What do you do if a vendor doesn’t respond?

This does happen. And it has happened to me. There are even some who threaten so sue! There are bugs in a lot of embedded devices, especially from the smaller vendors — for example, videoconferencing systems, big time. But the vendors who want to be serious about security are responsive. They want to learn. Those who don’t will get burned and so will get serious. If they don’t respond after three times you could go public, but there is no value in doing that. You just have to forget about it.

Maybe there should government agencies you could report errant vendors to?

I’m not sure if the government is the right entity to arbitrate such issues. The market is regulating itself. Vendors who get burned do major initiatives in security, and some just take the initiative on their own. I certainly don’t believe in irresponsible disclosure. But it is a controversial subject!

Links to top ten internal and external

http://www.qualys.com/research/rnd/top10/



 

 
Search this Site:
Google Custom Search



Click here...